Analysis
-
max time kernel
137s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2022 07:12
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe
-
Size
756KB
-
MD5
91e64955817f4a2c4a1d39926ad0ebc3
-
SHA1
705970ffaa5d04be9ad37c001430f58fddf79d28
-
SHA256
adcb4cadc4a186f55ab40167534aba3f36f43d716f3a2742942bcf73c2db6668
-
SHA512
e6649200a350cca0d6c7bfeab4ba2e65f763a76118e2f51c6de982340c8260d3e185773b24537b47d103ff56b7d1242f16e03b793c6078528f572136e0f5be90
-
SSDEEP
12288:EmxK67awP//KF5ccBBWGc2YQ5QFIgwgBzj+H9qqFf3L0bJprfIq0cT4rpFnL+hQ:Ex6Ga//KF5+2l5Qig/N+H9qAuDI3ckzF
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4433
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2084-145-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2084-147-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2084-149-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2084-150-0x0000000000400000-0x0000000000450000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Variant.Tedy.224685.104.8005.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.224685.104.8005.exedescription pid process target process PID 4844 set thread context of 2084 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.224685.104.8005.exepowershell.exepid process 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe 4808 powershell.exe 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe 4808 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.224685.104.8005.exepowershell.exedescription pid process Token: SeDebugPrivilege 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe Token: SeDebugPrivilege 4808 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.224685.104.8005.exedescription pid process target process PID 4844 wrote to memory of 4808 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe powershell.exe PID 4844 wrote to memory of 4808 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe powershell.exe PID 4844 wrote to memory of 4808 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe powershell.exe PID 4844 wrote to memory of 4604 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe schtasks.exe PID 4844 wrote to memory of 4604 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe schtasks.exe PID 4844 wrote to memory of 4604 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe schtasks.exe PID 4844 wrote to memory of 2820 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2820 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2820 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2084 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2084 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2084 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2084 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2084 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2084 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2084 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2084 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2084 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe PID 4844 wrote to memory of 2084 4844 SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fRnurKmGZs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fRnurKmGZs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F9D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.224685.104.8005.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8F9D.tmpFilesize
1KB
MD502a26d600a334237ec8cebab6a504f44
SHA149a8c9632fe2f41e5fe281a12757ef2e3009b8d6
SHA2568030c2b1960c89943fac2ae02a929c96636d42cee9fe850f6a01b47e02321c64
SHA5120845a5c5c2513ab9320481d7aa66a691261342c602920b4ed650036c674114507ee2f5d0756fa9b9f4247ba24ac5f241588adccf7930ce6ddcf7b2dd16a7d29a
-
memory/2084-150-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2084-149-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2084-147-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2084-145-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2084-144-0x0000000000000000-mapping.dmp
-
memory/2820-143-0x0000000000000000-mapping.dmp
-
memory/4604-139-0x0000000000000000-mapping.dmp
-
memory/4808-155-0x0000000007430000-0x0000000007AAA000-memory.dmpFilesize
6.5MB
-
memory/4808-156-0x0000000006DE0000-0x0000000006DFA000-memory.dmpFilesize
104KB
-
memory/4808-151-0x0000000005AE0000-0x0000000005AFE000-memory.dmpFilesize
120KB
-
memory/4808-138-0x0000000000000000-mapping.dmp
-
memory/4808-160-0x0000000007120000-0x000000000713A000-memory.dmpFilesize
104KB
-
memory/4808-146-0x0000000004B30000-0x0000000004B52000-memory.dmpFilesize
136KB
-
memory/4808-159-0x0000000007010000-0x000000000701E000-memory.dmpFilesize
56KB
-
memory/4808-148-0x0000000004BD0000-0x0000000004C36000-memory.dmpFilesize
408KB
-
memory/4808-152-0x00000000060A0000-0x00000000060D2000-memory.dmpFilesize
200KB
-
memory/4808-158-0x0000000007060000-0x00000000070F6000-memory.dmpFilesize
600KB
-
memory/4808-161-0x0000000007100000-0x0000000007108000-memory.dmpFilesize
32KB
-
memory/4808-142-0x0000000004D70000-0x0000000005398000-memory.dmpFilesize
6.2MB
-
memory/4808-157-0x0000000006E50000-0x0000000006E5A000-memory.dmpFilesize
40KB
-
memory/4808-153-0x0000000073720000-0x000000007376C000-memory.dmpFilesize
304KB
-
memory/4808-154-0x0000000006080000-0x000000000609E000-memory.dmpFilesize
120KB
-
memory/4808-140-0x00000000021B0000-0x00000000021E6000-memory.dmpFilesize
216KB
-
memory/4844-132-0x0000000000670000-0x0000000000732000-memory.dmpFilesize
776KB
-
memory/4844-135-0x00000000050F0000-0x00000000050FA000-memory.dmpFilesize
40KB
-
memory/4844-134-0x0000000005120000-0x00000000051B2000-memory.dmpFilesize
584KB
-
memory/4844-136-0x000000000B1A0000-0x000000000B23C000-memory.dmpFilesize
624KB
-
memory/4844-137-0x000000000B5B0000-0x000000000B616000-memory.dmpFilesize
408KB
-
memory/4844-133-0x00000000056D0000-0x0000000005C74000-memory.dmpFilesize
5.6MB